What Brussels actually put on the table
On 7 July 2026 the European Commission presented its Action Plan on Cybersecurity and Artificial Intelligence, and the part that matters for operators is quiet but structural. The AI Act already requires advanced AI models to be evaluated and their risks assessed before they are placed on the EU market. The Commission now says it will help build an EU evaluation capacity to strengthen independent, third-party assessment of what these models can do and where they are risky, working in direct support of the AI Office - the body whose enforcement powers switch on 2 August 2026.
Alongside that, the EU Agency for Cybersecurity and the Commission's Joint Research Centre will stand up a secure platform to test AI for cybersecurity, using simulated environments, by the end of 2026. The Commission also wants a European blueprint for structured access to advanced AI capabilities for defence. Read together, these are not vague ambitions - they are the machinery for a world in which a model is examined by public bodies before, and after, it reaches the businesses that will run it.
Why this lands on critical-sector operators first
The plan names its first audience plainly: finance, energy, health, transport and public administration. The secure testing platform is built for exactly those operators, so they can see how a model behaves in cybersecurity use before trusting it in production. That is genuinely useful - a state-run place to test AI in a simulated environment is something no single mid-sized operator could build alone. But a reference platform also sets a reference standard, and once one exists, using AI without having checked it against that standard starts to look like a choice you have to defend.
The access question is sharper still. A blueprint for structured access to advanced AI decides who gets to use the strongest models for defence, and on what terms. For a European operator that means the most capable tools may come with conditions attached - vetting, documentation, sector rules - rather than a simple licence. The upside is a shared floor of safety; the cost is that your choice of model in a critical sector is no longer only a procurement decision.
The model you depend on may need two governments' sign-off
Put this beside what is already happening in Washington. The United States now runs its own pre-release testing of frontier models through a dedicated evaluation body, and Europe is now building the same capacity on its side of the Atlantic. A company that builds a product on a leading model could soon find that model has to satisfy evaluators in two jurisdictions before it is cleared for use - and that a delay or a restriction in either one lands on your roadmap, not the vendor's.
The practical move is not to wait for August. Map which of your AI uses touch the high-risk or critical-sector categories the Act cares about, because those are where evaluation, documentation and access conditions arrive first. Know whether the models you rely on are the ones regulators will scrutinise, and keep a fallback in mind. The firms that understand their exposure before the AI Office starts using its powers will adapt on their own schedule; the ones that assume nothing changes until they are told will adapt on someone else's.
Read next: August 2 Is When the EU AI Fines Become Real | Your AI Vendors Face EU Fines From August 2



